Hello. I have encountered some side effects of using Verify Receivers.
Setup is quite simple: 2 PMG in cluster setup relay mails for my domains to the downstream Zimbra server.
PMG version:
Options: Use SPF enabled, verify receivers enabled with response code 550
Situation:
There is some compromised MTA which spammers are using for sending mail from existent user in my domain (for example, legituser@domain.com in MAIL FROM) to non-existent users in my domain too (non-existentuser@domain.com in RCPT TO).
So, this mail comes from MTA which is definitely fails SPF check, from existent sender to non-existent user. PMG checks existence of receiver at the downstream server and returns 550 code to this bad MTA. Then bad MTA bounce back message to the "sender", and mailbox legituser@domain.com ends up receiving all of the NDR for messages that he doesn't even send.
I assume that if PMG stops verifying recipients, these mails will go straight to the spam quarantine, because they wouldn't pass DMARC, they don't have DKIM signature and comes from client missing in the SPF list.
Visualization:
AFAIK this kind of mail got rejected by reject_unverified_recipient postfix option. And DMARC check happens after SMTP dialog.
Is there any way to prevent this behavior without turning off recipient verification globally and blacklisting client? Thank you
Setup is quite simple: 2 PMG in cluster setup relay mails for my domains to the downstream Zimbra server.
PMG version:
proxmox-mailgateway: 8.1.0 (API: 8.1.2/c979cfd1d78a, running kernel: 6.8.4-3-pve)
pmg-api: 8.1.2
pmg-gui: 4.1.1
proxmox-kernel-helper: 8.1.0
pve-kernel-5.15: 7.4-12
pve-kernel-5.13: 7.1-9
proxmox-kernel-6.8: 6.8.8-4
proxmox-kernel-6.8.8-4-pve-signed: 6.8.8-4
proxmox-kernel-6.8.4-3-pve-signed: 6.8.4-3
proxmox-kernel-6.5.13-6-pve-signed: 6.5.13-6
proxmox-kernel-6.5: 6.5.13-6
proxmox-kernel-6.5.13-5-pve-signed: 6.5.13-5
pve-kernel-5.15.149-1-pve: 5.15.149-1
pve-kernel-5.15.131-2-pve: 5.15.131-3
pve-kernel-5.15.116-1-pve: 5.15.116-1
pve-kernel-5.15.83-1-pve: 5.15.83-1
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-1-pve: 5.13.19-3
clamav-daemon: 1.0.5+dfsg-1~deb12u1
ifupdown2: 3.2.0-1+pmx9
libarchive-perl: 3.6.2
libjs-extjs: 7.0.0-4
libjs-framework7: 4.4.7-2
libproxmox-acme-perl: 1.5.1
libproxmox-acme-plugins: 1.5.1
libpve-apiclient-perl: 3.3.2
libpve-common-perl: 8.2.1
libpve-http-server-perl: 5.1.0
libxdgmime-perl: 1.1.0
lvm2: 2.03.16-2
pmg-docs: 8.1.1
pmg-i18n: 3.2.2
pmg-log-tracker: 2.5.0
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.6
proxmox-spamassassin: 4.0.1-1
proxmox-widget-toolkit: 4.2.3
pve-firmware: 3.13-1
pve-xtermjs: 5.3.0-3
zfsutils-linux: 2.2.4-pve1
pmg-api: 8.1.2
pmg-gui: 4.1.1
proxmox-kernel-helper: 8.1.0
pve-kernel-5.15: 7.4-12
pve-kernel-5.13: 7.1-9
proxmox-kernel-6.8: 6.8.8-4
proxmox-kernel-6.8.8-4-pve-signed: 6.8.8-4
proxmox-kernel-6.8.4-3-pve-signed: 6.8.4-3
proxmox-kernel-6.5.13-6-pve-signed: 6.5.13-6
proxmox-kernel-6.5: 6.5.13-6
proxmox-kernel-6.5.13-5-pve-signed: 6.5.13-5
pve-kernel-5.15.149-1-pve: 5.15.149-1
pve-kernel-5.15.131-2-pve: 5.15.131-3
pve-kernel-5.15.116-1-pve: 5.15.116-1
pve-kernel-5.15.83-1-pve: 5.15.83-1
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.13.19-1-pve: 5.13.19-3
clamav-daemon: 1.0.5+dfsg-1~deb12u1
ifupdown2: 3.2.0-1+pmx9
libarchive-perl: 3.6.2
libjs-extjs: 7.0.0-4
libjs-framework7: 4.4.7-2
libproxmox-acme-perl: 1.5.1
libproxmox-acme-plugins: 1.5.1
libpve-apiclient-perl: 3.3.2
libpve-common-perl: 8.2.1
libpve-http-server-perl: 5.1.0
libxdgmime-perl: 1.1.0
lvm2: 2.03.16-2
pmg-docs: 8.1.1
pmg-i18n: 3.2.2
pmg-log-tracker: 2.5.0
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.6
proxmox-spamassassin: 4.0.1-1
proxmox-widget-toolkit: 4.2.3
pve-firmware: 3.13-1
pve-xtermjs: 5.3.0-3
zfsutils-linux: 2.2.4-pve1
Situation:
There is some compromised MTA which spammers are using for sending mail from existent user in my domain (for example, legituser@domain.com in MAIL FROM) to non-existent users in my domain too (non-existentuser@domain.com in RCPT TO).
So, this mail comes from MTA which is definitely fails SPF check, from existent sender to non-existent user. PMG checks existence of receiver at the downstream server and returns 550 code to this bad MTA. Then bad MTA bounce back message to the "sender", and mailbox legituser@domain.com ends up receiving all of the NDR for messages that he doesn't even send.
I assume that if PMG stops verifying recipients, these mails will go straight to the spam quarantine, because they wouldn't pass DMARC, they don't have DKIM signature and comes from client missing in the SPF list.
Visualization:
Code:
Spammer -> Bad MTA --mail_to_nonexistent_user--> PMG --check_user_at_Zimbra--> PMG --return_550--> Bad MTA --NDR_to_existent_user--> PMG --NDR_to_existent_user--> Zimbra full of NDRAFAIK this kind of mail got rejected by reject_unverified_recipient postfix option. And DMARC check happens after SMTP dialog.
Is there any way to prevent this behavior without turning off recipient verification globally and blacklisting client? Thank you